Top Banner

Click here to load reader

IUT– Network Security Course 1 Network Security Firewalls

Dec 14, 2015



  • Slide 1

IUT Network Security Course 1 Network Security Firewalls Slide 2 IUT Network Security Course 2 Why Firewalls? The Internet allows you access to worldwide resources, but the Internet also allows the world to try and access your resources Slide 3 IUT Network Security Course 3 Why Firewalls? A firewall is inserted between the private network and the Internet Provides a choke point where security and audits can be imposed Single computer system or a set of systems can perform the firewall function Slide 4 IUT Network Security Course 4 Design Goals All traffic, from inside to outside and vice versa, must pass through the firewall Only authorized traffic (defined by the security policy) is allowed to flow Slide 5 IUT Network Security Course 5 Scope of Firewalls Single choke point - to protect vulnerable services from various kinds of attack (spoofing, DOS) Platform for non-security functions can be used for network address translation and network management Platform for IPSec implements VPN via tunnel mode Slide 6 IUT Network Security Course 6 Limitations of Firewalls Cannot protect against attack that bypasses the firewall bypass attack Does not protect against internal threats Cannot protect against the transfer of virus-infected programs Slide 7 IUT Network Security Course 7 Types of Firewalls Packet Filtering Router Application Level Gateway Circuit Level Gateway Slide 8 IUT Network Security Course 8 Packet Filtering Slide 9 IUT Network Security Course 9 Packet Filtering Router Applies a set of rules to each incoming IP packet and forwards or discards the packet Filters packets in both directions Slide 10 IUT Network Security Course 10 Packet Filtering Router Rules based on source and destination address and port number and IP protocol and interface List of rules looking for a match If no match, default action is taken Slide 11 IUT Network Security Course 11 Packet Filtering Router Two default policies: default = discard: That which is not expressly permitted is prohibited default = forward: That which is not expressly prohibited is permitted Slide 12 IUT Network Security Course 12 Packet Filtering Rules connection to our SMTP port **25OUR-GWallow we dont trust these guys*SPIGOT**block commentporttheirhostportourhostaction Inbound mail is allowed (port 25), but only to a mentioned host Everything from SPIGOT is blocked Slide 13 IUT Network Security Course 13 Packet Filtering Rules default****block commentporttheirhostportourhostaction This is the default policy It is usually the last rule This rule drops everything Slide 14 IUT Network Security Course 14 Packet Filtering Rules Connection to their SMTP port 25***allow commentporttheirhostportourhostaction Inside host can send mail to the outside Some other application could be linked to port 25 Attacker could gain access through port 25 Slide 15 IUT Network Security Course 15 Packet Filtering Rules their repliesACK**25*allow flags connection to their SMTP port 25**our hosts allow commentportdestportsrcaction This improves on the last situation Internal hosts can access SMTP anywhere ACKs from any SMTP server are permitted Slide 16 IUT Network Security Course 16 Packet Filtering Advantage: simple, transparent and very fast Disadvantage: difficulty in setting up rules correctly and completely Slide 17 IUT Network Security Course 17 Packet Filtering Attacks Vulnerable again Application layer attacks IP address spoofing packets from the outside have internal addresses in their source IP address field Tiny fragment attack designed to circumvent filtering rules that depend on TCP header information Slide 18 IUT Network Security Course 18 Real Life Example Slide 19 IUT Network Security Course 19 Stateful Inspection Layers Addressed By Stateful Inspection Slide 20 IUT Network Security Course 20 Stateful Inspection More secure because the firewall tracks client ports individually rather than opening all high-numbered ports for external access. Adds Layer 4 awareness to the standard packet filter architecture. Slide 21 IUT Network Security Course 21 Application Level Gateway Slide 22 IUT Network Security Course 22 Application Gateway Firewalls Layers Addressed by Application-Proxy Gateway Firewalls Slide 23 IUT Network Security Course 23 Application Level Gateway Acts as a relay of application level traffic Also called a proxy User contacts gateway for TELNET to remote host, user is authenticated, then gateway contacts remote host and relays info between two end points Slide 24 IUT Network Security Course 24 Application Level Gateway Can examine the packets to ensure the security of the application full packet awareness Very easy to log since entire packet seen Disadvantage: additional processing overhead for each connection increase load Slide 25 IUT Network Security Course 25 Circuit-Level Gateway Slide 26 IUT Network Security Course 26 Circuit Level Gateway Does not permit an end-to-end TCP connection Sets up two TCP connections one between itself and a TCP user on the inside and one between itself and a TCP user on the outside Relays TCP segments from one connection to the other without examining the contents Slide 27 IUT Network Security Course 27 Firewall Basing It is common to base a firewall on a stand- alone machine running a common operating system, such as UNIX or Linux. Firewall functionality can also be implemented as a software module in a router or LAN switch Slide 28 IUT Network Security Course 28 Bastion Host Usually a platform for an application or circuit level gateway Only essential services Allows access only to specific hosts Maintains detailed audit information by logging all traffic Choke point for discovering and terminating intruder attacks Slide 29 IUT Network Security Course 29 Bastion Host, Single-Homed Two systems: packet filtering router and bastion host For traffic from the Internet, only IP packets destined for the bastion host are allowed For traffic from the internal network, only relayed packets from the bastion host are allowed out Slide 30 IUT Network Security Course 30 Bastion Host, Single-Homed What happens if this is compromised? A Big Problem!!! Slide 31 IUT Network Security Course 31 Bastion Host, Dual-Homed Slide 32 IUT Network Security Course 32 Bastion Host, Dual-homed Bastion host second defense layer Internal network is completely isolated Packet forwarding is turned off More secure Slide 33 IUT Network Security Course 33 Screened Subnet Slide 34 IUT Network Security Course 34 Screened Subnet Most secure Isolated subnet with bastion host between two packet filtering routers Traffic across screened subnet is blocked Three layers of defense Internal network is invisible to the Internet Slide 35 IUT Network Security Course 35 Typical DMZ external network DMZ internal network Slide 36 What Is iptables? Stateful packet inspection. The firewall keeps track of each connection passing through it, This is an important feature in the support of active FTP and VoIP. Filtering packets based on MAC address, IPv4 and IPv6 Filtering packets based the values of the flags in the TCP header Helpful in preventing attacks using malformed packets and in restricting access. Network address translation and Port translating NAT/NAPT Building DMZ and more flexible NAT enviroments to increase security. System logging of network activities Provides the option of adjusting the level of detail of the reporting A rate limiting feature Helps to block some types of denial of service (DoS) attacks. Slide 37 Packet Processing In iptables Three builtin tables (queues) for processing: 1. MANGLE: is used in QOS to handle marking of packet or in data load distribution to distribute packets to different routes 2. FILTER: packet filtering, has three builtin chains (your firewall policy rules) Forward chain: filters packets to servers protected by firewall Input chain: filters packets destinated for the firewall Output chain: filters packets orginating from the firewall 3. NAT: network adress translation, has two builtin chains Pre-routing: NAT packets when destination address need changes Post-routing: NAT packets when source address need changes Slide 38 Processing For Packets Routed By The Firewall 1/2 Slide 39 Processing For Packets Routed By The Firewall 2/2 Slide 40 40 Packet Traversal in Linux Input Output Local Processes Forward Routing Decision Pre- Routing Post- Routing Slide 41 41 IPtables chains A chain is a sequence of filtering rules. Rules are checked in order. First match wins. Every chain has a default rule. If no rules match the packet, default policy is applied. Chains are dynamically inserted/ deleted.